11
Traefik (and eventually Vaultwarden when I get there) (lemmy.ml)
submitted 6 months ago by trilobite@lemmy.ml to c/selfhost@lemmy.ml
8 comments fedilink hide all child comments

I've tried unsuccessfully to get Valutwarden working without a proxy. See here. Any request with https leads me to the SSL_ERROR_RX_RECORD_TOO_LONG error, while via http I get the "Loading wheel" running indefinitely.

Despite the top of the page here suggests you can run Valutwarden without internally without proxy, my experience suggest that this is not the case and have tried on different VMs getting the same error. So seems like the only way is going via proxy. From what I've read, people seem to suggest that Traefik is the way to go. So I'm thinking of setting it up on my same VM as Valutwarden.

Note that my network is behind a pfsense install on another hardware machine. DNS forwarding is enabled with unbound. Will installing Traefik require changes to pfSense config? Looks like it may be the case from here. For now all I want is getting Vaultwarden going; later down the line I'll learn how Traefik can benefit the rest of my homelab.

I'm trying to work out the simplest way of getting Vaultwarden going using a minimalistic proxy, as there seems to be no alternative to not having a proxy going. Thoughts?

all 10 comments
sorted by: hot top controversial new old
[-] tvcvt@lemmy.ml 5 points 6 months ago

Traefik is a very robust reverse proxy, but I think you have easier options. If you want to keep it all in the same stack, have a look at Caddy. The configuration is just a few lines. Another very good option since you’re already using pfSense would be to use the HAProxy plugin. You’ll get a UI to manage everything and Tom Lawrence has some very helpful videos about setting it up from start to finish.

[-] passepartout@feddit.org 1 points 6 months ago

I like both very much for what they are and would confirm that Caddy is a lot easier for beginners. The only downside is that you have to rebuild the binary with caddyx for more functionality which can be limiting e.g. for people wanting to start with dns challenges for (wildcard) certificates.

[-] JASN_DE@feddit.org 2 points 6 months ago* (last edited 6 months ago)

Um... The "barebones" docker compose doesn't use TLS. How did you try to access the web UI?

Do you have your browser set to HTTPS-only by any chance?

[-] Lem453@lemmy.ca 1 points 6 months ago

I used this guide to use traefik with a wildcard certificate from let's encrypt that is internal only. So I have

Immich.domain.com

And also

Vault.local.domain.com

This allows something like vaultwarden to only be accessible on my internal LAN while something like immich is exposed so I can share albums with anyone I want.

If I want to connect to vaultwarden while away from home, I connect to wireguard first then access via the local URL.

In docker I don't even close the app's ports, so even locally everything has SSL everywhere.

https://youtu.be/liV3c9m_OX8

[-] prenatal_confusion@feddit.org 1 points 6 months ago

Regarding the spinning wheel If accessed with a browser over http you never get through but the clients on desktop and mobile worked with http. At least until a few weeks ago. That forced me to get it working with a reverse proxy. Neither traefik nor npm did the trick and now I have a beautiful pangolin instance running on my vps. That software is amazing so far.

this post was submitted on 21 Dec 2025
11 points (100.0% liked)

Self Hosted - Self-hosting your services.

20035 readers
1 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules

Important

Cross-posting

If you see a rule-breaker please DM the mods!

founded 5 years ago
MODERATORS
Zoe8338@lemmy.ml
dogmuffins@lemmy.ml
testman@lemmy.ml